7 Replies Latest reply: Oct 20, 2009 2:31 PM by Leonid B. (Boguslavsky) RSS

Virtual Agent??

Michel Allal

Hi All,

 

have you ever hear about a virtual agent possibility?

 

If yes do you know any limitation for this kind of agent?

 

Many thanks for your help

 

Michel

  • 1. Re: Virtual Agent??
    Ellen Harbour

    What do you mean by virtual agent?  We have remote management capabilities for many systems, but they do require an agent.  Most of our agents support management of virtual environments.

  • 2. Re: Virtual Agent??
    Michel Allal

    Hi

     

    My customer would like to manage authorization for applications.

    The number of application is not limited.

    The autorization process is preaty complex.

     

    Below an example:

    Application

    Functionary Code

    : different roles within the application.

    A person can only have one functionary code for an application for a specific company)

    A standard profile

    B application manager

    C custodian

    D custodian of rates

    E rates consulting

    F head application manager

    H custodian of external bank accounts

    Power of attorney code

    CD access to accounts of ACME staff allowed

    CE access to accounts of ACME staff is blocked

    A person can only have one "Power of attorney" code for an application for a specific company)

    Company code

    0001 : OPT bank

    0002 : OVK bank

    0019 : UVF bank

     

    The idea is to create an agent (real or virtual) to manage the ressources and autorizations.

    If it's a real agent, we will simply manage it as any other managed system.

     

    If it's a virtual agent (no managed system connection) we will use the agent as an input/output to store the data to ESS DB by an import of the access from the agent then push them back to grant the authorization.

     

    In fact, it's like a simple agent (based or less) but it should manage by import/export the authirization.

     

    Thanks in advane for your help.

     

    Best Regards

    Michel

  • 3. Re: Virtual Agent??
    Ellen Harbour

    The ESS and agents are designed to grant access based on group permissions, so the permissions themselves could be defined and roles created within the ESS to administer who is connected to those permissions.  However, your statement on "grant authorization" makes me think you are actually wanting the ESS to intervene at log in time to either grant or deny the access to a specific level of an application. 

     

    If I am reading that correctly, what you are describing sounds like our Web Access Manager (WAM) solution that we transitioned to Symphony Services.  I have not heard of anyone doing that level of fine-grain access control using ESS and our standard agents.  Our agents provision accounts and grant permissions (via group memberships) to a specific platform, application, database, etc.  The security within the application/platform/etc then manages the authentication/authorization; ESS/IDM does not get involved in that process. To be more clear, the ESS is not called when a user attempts to log in to an application or database. 

     

    By contrast, the WAM solution has an enforcement agent that sits in front of the web application and presents specific web pages based on their authentication and authorization levels.   This solution only supports web applications, but sounds like what you are describing.  I do not think it is possible or advisable to try and customize the ESS/IDM Suite to act as an authorization mechanism for an application.  The performance impact would be considerable as you would basically have to intercept every transaction (which would require a local agent) and run authorization tasks against it before the user could log in.  That is not the way ESS is designed. 

     

     

    Thanks!

     

    Ellen S Harbour

    Software Consulting Practice Lead

    ITIL v3 Expert

    404.514.0912

  • 4. Re: Virtual Agent??
    Michel Allal

    Hi Ellen,

     

    WAM seems to be the solution for this customer.

     

    Many thanks for your help.

    Best Regards

    Michel

  • 5. Re: Virtual Agent??
    Leonid B. (Boguslavsky)

    For me this description sounds a bit different. My understanding is that they want to check a possibility to use ESS DB as a storage of relevant security information (which is it is, btw) such as roles, resources and its relations, and then to have all relevant applications to refer to this data directly.

    In another words - instead of having our standard agents to push security settings from the ESS to application(s) repositories, they want applications itself to refer to central repository (which is ESS DB), using either SQL or ESS interfaces.

    By this approach we still can use all built-in functionality (profiles, templates, exits, etc), so IdM engine used with full power of it, but it will be needless to spread all decisions outside over all real repositories of those applications.

    I would call such options as a "centralized virtual security repository"(CVSR). And a broker which will be used by applications to access ESS DB data they offered to call a "virtual agent"...

    Nice idea, btw...worth to check...

    :-)

  • 6. Re: Virtual Agent??
    Ellen Harbour

    Thanks Leonid - you may have a better understanding of the need than I, so I will defer to your superior technical expertise! 

     

    Thanks!

     

    Ellen S Harbour

    Software Consulting Practice Lead

    ITIL v3 Expert

    404.514.0912

  • 7. Re: Virtual Agent??
    Leonid B. (Boguslavsky)

    Thanks, Ellen! You know how to worm my old heart... :-)

    I honestly don't think I understood it better, I just understood it different and pointed on another approach they also may thought about.

    You know better then me - in reality customer by himself not always understand what he need, so in most cases we should show him on his target.

    But not for this specific customer - they knows exactly what they need and just looking how they can have it with BMC IDM solution...